Top MSSP Challenges SOAR Solutions Helps to Solve

Back to all articles

Top MSSP Challenges SOAR Helps Solve

Given the sheer range of threats facing organizations in 2020, it will result in the need for more advanced detection mechanisms. In order to compensate for their shortcomings, this necessity has led to a growing number of organizations to partner with a Managed Security Service Provider (MSSP).

As a response to the current threat landscape, MSSPs started developing managed detection and response service offerings. The main goal here is to effectively assist organizations by not only detecting a potential threat but also aid in its quick and rapid response. However, they are battling another major risk: falling victim to the same shortcomings (on an even greater scale). So, how can SOAR technology help MSSP’s overcome these challenges?

Top MSSP functions and main challenges

In this article, you will learn the core functions and capabilities that any SOAR solution should provide to assist MSSPs. We will also identify the current obstacles service providers face when trying to deliver their security services.

Challenge: Lack of integrations flow

Core function: Flexible Integrations

Bidirectional integrations are crucial in supporting full automation and orchestration. To achieve this, there are several methods that support this type of flexible integrations such as scripting languages like Perl or Python, APIs or proprietary methods. Whatever method is chosen, it will be very simple to be implemented by the MSSPs or their customers.

In cases where full bidirectional integrations are not required, unidirectional integrations can be more suitable for the customer to deploy. Accordingly, an effective SOAR platform should support common methods of data ingestion, like Syslog, database connections, APIs, email, online forms and common data standards such as CEF, OpenIOC and STIX/TAXII.

Challenge: Inflexible workflow

Core function: Process Workflows

Workflows are at the heart of the automation and orchestration activities a SOAR solution provides. These workflows help reduce the burden of repetitive tasks on an MSSP’s operations team.

There are two fundamental ways to codify process workflows within a SOAR solution:

  • Classified as linear-style playbooks
  • Flow-controlled workflows or runbooks

Both methods are suitable for different client environments and proprietary use cases. However, supported by a SOAR solution, the implementation of these workflows must be flexible enough to support almost any process which may need to be codified within the solution.

Workflows should support the use of both built-in and custom integrations, as well as the creation of manual tasks that need to be completed by an MSSP analyst or their client’s security team. Additionally, flow-controlled workflows should support multiple types of flow control mechanisms, including those that allow for an analyst to make a manual decision before the workflow continues.

Challenge: Complex nature of incident responses

Core function: Incident Management

Many organizations are relying on MSSPs to handle the entire incident response lifecycle through managed detection and response services. To properly take over the entire incident response lifecycle, a SOAR solution should provide the following incident management features:

  • Detailed task tracking, including assignment, time spent and status;
  • Asset management, tracking all physical, and virtual assets involved in the incident;
  • Evidence and chain of custody management;
  • Indicator and sample tracking, correlation and sharing;
  • Document and report management;
  • Time and monetary effort tracking.

Challenge: Inability to operationalize the data

Core function: Threat Intelligence

To discover attacks and patterns that may not have been detected through automated methods, many security service providers now include various forms of threat hunting to their service offerings.

When it comes to a multi-tenant environment, to facilitate this process, threat intelligence and correlated events should be displayed in a simple and coherent visual manner to allow analysts to effectively examine the full picture of information and gather the context necessary to issue the correct response.

Challenge: Weak information flow

Core function: Collaboration and Information Sharing

An adequate response to a security incident includes multiple individuals and potentially multiple teams and even organizations. So, to be effective in a team environment, a SOAR solution should support flawless collaboration and information sharing between team members in a controlled manner, even outside of the organization itself. This means that those who have authorization should have instant access to the status of the incident they are collaborating on and all the information gathered, as well as other actions performed by team members.

On the other hand, team members should also have the ability to communicate securely within the SOAR platform, providing an out-of-band communication mechanism when other mediums may not be trusted.

Challenge: Unreliable data segregation

Core function: Multitenancy

A SOAR solution should provide a powerful multi-tenant infrastructure required by MSSPs. Operating as a core component of MSSP operations, this infrastructure should provide accurate data segregation. Moreover, it should apply strict access control mechanisms for each tenant’s information to block any cross-contamination concerns.

The service provider should also have the ability to customize configuration options on a per-tenant basis, as well as to provide transparent access to the MSS across their entire client base.


When evaluating a SOAR solution, you should ensure that the solution provides your team with the ability to collaborate with your customers through a single platform. By providing both managed security service teams and their customers a single platform to work from, they can track previous actions, share gathered information, and view the investigative steps that have been taken during an active incident. This capability can also be extended to teams outside of the security team like the client’s IT, Human Resources department or even the MSS’ threat research teams. This will ensure that all interested parties will have access and information necessary to perform as one consolidated security solution.

Informed by our previous experience listening to customer problems and crafting unique solutions, at DFLabs, we created an unbiased guide “2020 MSSP Buyer’s Guide for SOAR Solutions” to enable you to make the most informed decision based on your individual organization requirements.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.

Request a demo